Mortgage Connect is committed to protecting both its proprietary and customer data. To do this, Mortgage Connect has established a formal information security program to ensure appropriate controls are in place to safeguard sensitive data from unauthorized access or disclosure. The Mortgage Connect security program is comprised of both technical and procedural controls. Mortgage Connect has employed advanced next generation firewalls with Intrusion Prevention System (IPS) at the network perimeter configured in pairs for high availability. Public facing systems are segmented within a DMZ, isolated from internal systems by a pair of next generation firewalls protecting the intranet. All servers reside within either Mortgage Connect’s primary or secondary data center. Data centers are enterprise class co-location providing air handling, power and network connectivity. Mortgage Connect maintains its own cage with access controls. Datacenters maintain SOCI/II reports which Mortgage Connect reviews on an annual basis. Both data centers and operational facilities provide physical security controls including, video monitoring, access controls, environmental monitoring and alerting, and visitor policy and procedures. Mortgage Connect is a Microsoft shop utilizing Active Directory for centralized user account management. Users are assigned a unique user name and password. Passwords are required to be complex, changed frequently and will lockout after a predetermined number of invalid attempts. User sessions are required to re-authenticate after periods of inactivity. Mortgage Connect performs routine user account review to ensure appropriate entitlements and the removal of dormant accounts. All servers and workstations are built and hardened to the Mortgage Connect baseline standard with servers performing a single role (e.g. IIS). Mortgage Connect employs antivirus on all desktops and servers. Antivirus is centrally managed with definition updates pushed daily. Mortgage Connect performs routine vulnerability scans and monthly patch management. A third party external penetration test is performed annually. Mortgage Connect requires all sensitive data transmissions to be encrypted through the web (e.g. HTTPS), bulk file transfer (e.g. Secure FTP) and email transmission (e.g. TLS) using industry recognized algorithms. Sensitive data is encrypted within the database. End users are restricted from writing to USB and CD-R. Mortgage Connect has deployed Security Incident Event Manager (SIEM) throughout the environment. The SIEM generates alerts which are reviewed by designated members of IT. Mortgage Connect maintains an Incident Response Policy and Procedure to ensure incidents are investigated, resolved, and remediated. Mortgage Connect maintains a Software Development Lifecycle (SDLC) for secure code development including, dynamic code scanning to detect potential security vulnerabilities. Developers do not have access to production data.
Mortgage Connect vendors are required to ensure its policies, procedures and technical controls are in place to ensure the connection/transfer of sensitive data remains secure and reduce risk of the transfer of malicious software into Mortgage Connect. The vendor is to maintain a secure computing environment including the use of: up to date (patched) operating systems, centrally managed antivirus, user access through a proxy, and next generation firewalls at the perimeter. Access to Mortgage Connect environment shall be secure using industry recognized encryption algorithm agreed upon by Mortgage Connect and the vendor. The vendor shall maintain procedures to include the timely notification of employee’s change of status to Mortgage Connect and periodic access reviews to address user entitlement changes. In the event of a security incident within the vendor environment, the vendor is required to notify Mortgage Connect in a timely manner and to provide necessary access to system logs, user interviews and relevant information of the event in question.